top | item 42550671

(no title)

billev2k | 1 year ago

I'm pretty leery of making the "access key" and "secret key" so public (like typing them into a web page, or setting them in environment variables). Of course it adds significant friction to set up an IAM identity for every user, and "low friction" is one of the key requirements here.

discuss

ryanianian|1 year ago

A "correct" implementation would give you a temporary IAM role or something (STS) based on a JWT or other authn mechanism.

This is not that difficult if you're already invested in an identity ecosystem, but a right pain without something to bootstrap it.

On the plus side, AWS creds can be made to be temporary and limited in scope to just the nouns/verbs required. Creating and vending those tokens is an exercise for the reader.

420official|1 year ago

It really isn't that challenging to get going with JWT auth in AWS. Gitlab has pretty good documentation for how to use Gitlab ID tokens to assume roles that includes everything other than how to generate a JWT here: https://docs.gitlab.com/ee/ci/cloud_services/aws/

And of course generating OIDC PKI JWTs is pretty easy and well documented elsewhere.

The harder parts in my mind are:

  - Updating this OSS project to serve a JWK from OIDC .well-known
  - Convincing people that this method of authn is safe and that those keys are securely stored